Social Engineering Testing
Technology Doesn't Get Phished. People Do.
Your firewall does not stop a convincing pretext. Your EDR does not catch a phone call. Your zero-trust architecture does not prevent an employee from handing their badge to a well-dressed visitor who claims to be from IT support. Social engineering testing evaluates the one attack surface that no technical control can fully protect: your people.
Evaluris designs and executes targeted social engineering campaigns — phishing, vishing, and physical intrusion testing — calibrated to your organization's threat profile, sector, and operational context. Every engagement produces findings your security awareness program can act on, and a narrative your leadership can understand.
The Human Layer Is the Most Consistently Exploited Attack Surface
In the vast majority of real-world breaches, a human being makes a decision that enables the attack — clicking a link, providing credentials over the phone, holding a door open, or executing a file. Technical controls fail because they depend on humans to configure them correctly, respond to alerts, and not be manipulated into bypassing them.
Security awareness training is necessary. It is not sufficient. Evaluris social engineering tests measure whether that training has changed behavior — not whether employees can pass a quiz about phishing indicators.
The goal of social engineering testing is not to embarrass employees who click. It is to measure the gap between awareness and action — and close it.
Methodology
Phishing Assessment
Scenario design: Evaluris develops phishing scenarios tailored to your organization — referencing internal systems, business processes, current events relevant to your sector, and sender profiles that reflect the threat actors most likely to target you. Generic phishing simulations measure nothing meaningful. Targeted, context-aware campaigns measure your real exposure.
Credential harvesting campaigns: Realistic cloned login pages for Microsoft 365, Okta, VPN portals, and business-specific platforms. Measurement of credential submission rates, time-to-click, and reporting rates.
Malware payload delivery: Where authorized, phishing emails with simulated payload delivery (macro-enabled documents, LNK files, ISO packages) that measure whether endpoint controls and user behavior would prevent execution in a real attack.
Spear phishing: Individually targeted campaigns against specific high-value personnel — executives, finance team members, IT administrators, and HR — using OSINT-driven personalization that replicates the methodology of advanced threat actors.
Vishing Assessment
Voice-based social engineering against your organization's staff, help desk, and IT support teams. Evaluris operators execute realistic pretexting scenarios designed to extract credentials, bypass access controls, or induce actions that would facilitate a real attack.
Common scenarios: IT support impersonation for password resets or MFA bypass, vendor and supplier impersonation, executive impersonation for urgent financial or access requests, and regulatory body impersonation.
Calls are recorded (where legally permitted and scope-agreed) and assessed against defined behavioral security criteria. Findings include specific dialogue analysis identifying the points at which security controls were bypassed and what response would have prevented the outcome.
Physical Intrusion Testing
Physical access to your environment gives an attacker capabilities that no remote exploit can replicate — direct access to network infrastructure, hardware implant placement, unattended workstation access, and document theft.
Evaluris physical intrusion testing assesses your physical security controls through realistic, controlled intrusion attempts: tailgating through access-controlled doors, visitor management bypass, social engineering of reception and security staff, identification of unlocked workstations, and assessment of sensitive document handling.
All physical engagements are conducted under strict legal authorization with defined rules of engagement, safety protocols, and immediate abort criteria agreed in advance.
Compliance Alignment
| Framework | Requirement |
|---|---|
| PCI DSS v4.0.1 | Req. 12.6 — security awareness program testing |
| HIPAA | Administrative safeguard — workforce security training validation |
| GDPR | Technical and organizational measures — human factor security |
| ISO 27001:2022 | A.6.3 — information security awareness, education and training |
| DORA Art. 25 | ICT security testing including human factor assessment |
| NIS2 Art. 21 | Human resource security and security awareness obligations |
Deliverables
- Campaign Metrics Report — click rates, credential submission rates, reporting rates, and time-to-click analysis per phishing campaign
- Vishing Call Analysis — recorded call transcripts, bypass point identification, and behavioral assessment
- Physical Intrusion Narrative — step-by-step account of access achieved, controls bypassed, and assets reached
- Employee Behavioral Risk Assessment — anonymized analysis of susceptibility patterns by department, role, and seniority
- Security Awareness Program Recommendations — specific, evidence-based improvements to existing training programs
- Executive Summary — board-ready human risk narrative
- Retest Benchmark — comparison metrics for follow-up campaigns measuring improvement
Ready to scope this engagement?
Tell us about your environment, regulatory drivers, and timeline. We will align methodology, scope, and evidence requirements before testing begins.